Network Computingwww.networkcomputing.com

Network security is difficult to get a handle on even for the most seasoned network veterans. To help you lock down and manage your network, you need an integrated security framework that can perform event correlation and take automated actions based on a set of events. Such products are available from Axent Technologies, Check Point Software Technologies, Computer Associates International, IBM Corp., Network Associates and others.

These frameworks are designed to act in concert with one another to varying degrees. However, this market is young and it will take more time to develop sound deployment strategies.

First Line of Defense

Firewalls are an integral part of network security and when properly implemented present a huge stumbling block for both script-kiddies and professional crackers. Recognizing that attacks are coming through weak servers and services and mobile code, inspection-firewall vendors, such as Check Point, are implementing features--including protocol syntax checking and basic HTML filtering--found in proxy firewalls. Invalid HTTP traffic or Java applets in HTML pages are dropped by the firewall before they get to their targets. Even so, in our most recent tests of firewalls, we used an application-layer attack and slid past all the firewalls except one to successfully attack our own Web server (see "Multisite Firewall Management: Not Enterprise-Ready".)

We have also seen an increase in integration with mobile code and virus scanners, URL filters and IDSes (intrusion-detection systems). VPNs (virtual private networks) also are being imple- mented on firewalls, though for the most part they don't perform as well as dedicated VPN devices. VPN encryption is too resource-intensive for a general-purpose operating system.

VPN Market Solidifies

The number of VPN products, especially in the software space, has increased substantially. At the same time, however, the number of VPN vendors is shrinking because of acquisitions. Cisco Systems acquired Altiga Networks and Compatible Systems. Newbridge Networks bought TimeStep. Nortel Networks took over Bay Networks. And hardware VPN appliances still outperform software VPNs. Equipped with chip technology specifically designed for high-speed cryptography and with specialized bus architectures, hardware VPNs can achieve throughput of 70 Mbps and above. But there's more to a VPN than speed. If your VPN is difficult to configure and manage or fails to interoperate with products from other vendors, you'll be tearing your hair out.

Few vendors are even close to making a user-friendly management platform for IPsec (IP security) VPN devices. Nearly all IPsec products require you to manually configure every VPN. A number of vendors claim their products are IPsec-compliant, but that doesn't necessarily mean those products work well with other IPsec-compliant devices. Issues surrounding rekeying times and ID syntax are still being hammered out. Issues regarding remote-user management and configuration also are still up in the air. The Altiga Networks Concentrator offers great centralized management, but on the client side Cisco/Altiga has hitched its wagon to Microsoft Windows 2000. While Internet Resource Engineering (IRE) is selling its SoftPK VPN client on an OEM basis to Cisco, NetScreen Technologies and other companies, many other vendors still require the use of their own clients to support user logins, dynamic addresses and other settings.

Spotting Intruders Before They Enter

IDS is rapidly becoming an integral part of the big picture. The dream of the sleepless sentry raising the alarm when suspicious activity is present certainly is seductive. But don't rely on IDS to replace good old human smarts and strong security talent. Configuring an IDS requires in-depth knowledge of your normal network traffic. Combining IDS with firewalls lets you shun attackers automatically, but IDSes are prone to false positives, and shunning can be used as a DOS attack. Until the accuracy of IDS improves, shunning--as a general rule--doesn't make sense.

IDSes have improved over the past year (see "Intrusion Detection, Take Two".) IDS systems come in two forms: network-based solutions that watch packets fly on the wire and host-based packages that watch users and processes for suspicious activity. Each addresses different needs and when used in conjunction with other security tools and procedures can significantly add to your security arsenal. But there are still several problems with attack recognition and IDS performance. Like a virus scanner, an IDS is only as current as the last update. IDS systems always lag behind the newest set of attacks. Additionally, there are performance considerations, especially with a network-based IDS. Our testing revealed that many IDSes simply melted down during periods of high utilization: Attacks flew by unnoticed. And that's not the only weakness.

By fragmenting the attack packets into unusually small pieces, we were able to slip past most of the IDS solutions we tested. These are some of the key areas we expect to see vendors improve upon this year and beyond.

On the Virus Front

Vendors of virus scanners had a banner year. The spate of Microsoft Office macro viruses and new Trojan horse viruses has kept vendors, mail administrators and end users busy. Vendors have been quick to respond, issuing signature updates within hours after the discovery of a new macro virus. Unfortunately, with the fast infection rate of e-mail viruses, even the shortest lag can be quite damaging. Many end users have been conned into installing Trojans, such as BO2K and NetBus.

And let's not forget those equally damaging viruses that infect network files and replicate when launched. Whether on the desktop, server or e-mail gateway, more attention has been paid to virus protection than ever before. More viruses are on the way, of course, but using a well-thought-out combination of e-mail-, network- and workstation-based scanning will go a long way to keeping your network virus free.